FortiOS v4.0 MR3 Patch Release 12 Release Notes

FortiOS v4.0 MR3 Patch Release 12Release Notes

FortiOS v4.0 MR3 Patch Release 12 Release Notes

May 13, 2013

01-4312-195080-20130513

Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

Firewall policy settings..................................................................................... 13URL filter .......................................................................................................... 13

FortiGuard log filter .......................................................................................... 14FortiGuard log setting ...................................................................................... 14Table of Contents

Change Log....................................................................................................... 6

Introduction....................................................................................................... 7Supported models ................................................................................................... 7

FortiGate ............................................................................................................ 7FortiWiFi ............................................................................................................. 7FortiGate VM...................................................................................................... 7FortiSwitch ......................................................................................................... 8

Summary of enhancements..................................................................................... 8

FortiOS Carrier.................................................................................................. 9Supported models ................................................................................................... 9

FortiCarrier ......................................................................................................... 9

Special Notices............................................................................................... 10TFTP boot process ................................................................................................ 10

Monitor settings for Web-based Manager access ................................................ 10

Before any upgrade ............................................................................................... 10

After any upgrade .................................................................................................. 10

FortiGate 1240B upgrade and downgrade limitations........................................... 10

Upgrade Information ...................................................................................... 11Upgrading from FortiOS v4.0 MR3 ........................................................................ 11

Disk logging ..................................................................................................... 11Historical reports upgrade limitation................................................................ 11SQL logging upgrade limitation ....................................................................... 12FortiGate 100D................................................................................................. 12FortiGate 3240C............................................................................................... 12

Upgrading from FortiOS v4.0 MR2 ........................................................................ 12DDNS ............................................................................................................... 12DNS server....................................................................................................... 13Ping server ....................................................................................................... 13Central management........................................................................................ 13SNMP community ............................................................................................ 13Modem settings ............................................................................................... 13AMC slot settings............................................................................................. 13Wireless radio settings..................................................................................... 13Web filter overrides .......................................................................................... 13Page 3

Downgrading to previous FortiOS versions........................................................... 14

Product Integration and Support .................................................................. 15Web browser support ............................................................................................ 15

FortiManager support ............................................................................................ 15

FortiAnalyzer support............................................................................................. 15

FortiClient support ................................................................................................. 15

FortiAP support...................................................................................................... 15

Virtualization software support .............................................................................. 16

Fortinet Single Sign-On (FSSO) support................................................................ 16

FortiExplorer support (Microsoft Windows/Mac OS X).......................................... 16

AV Engine and IPS Engine support ....................................................................... 16

Language support.................................................................................................. 17

Module support...................................................................................................... 17

SSL VPN support................................................................................................... 19SSL VPN standalone client .............................................................................. 19SSL VPN web mode ........................................................................................ 19SSL VPN host compatibility list ....................................................................... 20

Explicit web proxy browser support ...................................................................... 21

Resolved Issues.............................................................................................. 22Antivirus ........................................................................................................... 22Data Leak Prevention....................................................................................... 22Email Filter ....................................................................................................... 22Firewall ............................................................................................................. 23FortiCarrier ....................................................................................................... 23FortiGate VM.................................................................................................... 23High Availability................................................................................................ 24IPsec VPN ........................................................................................................ 24Logging and Reporting .................................................................................... 25Routing............................................................................................................. 25SSL VPN .......................................................................................................... 25System ............................................................................................................. 26Upgrade ........................................................................................................... 28WAN Optimization and Web Proxy.................................................................. 28Web-based Manager ....................................................................................... 28Web Filter......................................................................................................... 28Wireless............................................................................................................ 29

Known Issues.................................................................................................. 30Firewall ............................................................................................................. 30IPsec VPN ........................................................................................................ 30Logging and Reporting .................................................................................... 30SSL VPN .......................................................................................................... 30VoIP.................................................................................................................. 30Web-based Manager ....................................................................................... 31Table of Contents Page 4 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Limitations....................................................................................................... 32Citrix Xen server limitations ................................................................................... 32

Open source Xen limitations.................................................................................. 32

Image Checksum............................................................................................ 33

Appendix A: FortiGate VM ............................................................................. 34FortiGate VM model information............................................................................ 34

FortiGate VM firmware........................................................................................... 35Table of Contents Page 5 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Change Log

Date Change Description

2013-02-12 Initial release.

2013-02-18 Added FG-20C, FWF-20C, FG-20C-ADSL-A, FWF-20C-ADSL-A, FG-60C-POE, and FWF-60CX-ADSL-A to disk logging upgrade notice. Added 196235 and 196962 to known issues chapter.

2013-02-21 Added FG-VM-XEN support information.

2013-02-26 Minor update to product integration and support chapter.

2013-03-14 Corrected resolved issue bug ID. Added bug ID 198417 to known issues chapter.

2013-03-19 Corrected typographic error.

2013-04-02 Added 198883 to known issues chapter.

2013-04-15 Added FG-3240C upgrade information.

2013-04-29 Corrected Skype CLI syntax.

2013-05-13 Corrected FSSO support information.Page 6

Introduction

This document provides a summary of enhancements, support information, installation instructions, integration, resolved and known issues in FortiOS v4.0 MR3 Patch Release 12 build 0656.

Supported models

FortiOS v4.0 MR3 Patch Release 12 supports the following models.

FortiGate

FG-20C, FG-20C-ADSL-A, FG-30B, FG-40C, FG-50B, FG-51B, FG-60B, FG-60C, FG-60C-POE, FG-80C, FG-80CM, FG-82C, FG-100A, FG-100D, FG-110C, FG-111C, FG-200A, FG-200B, FG-200B-POE, FG-224B, FG-300A, FG-300C, FG-310B, FG-310B-DC, FG-311B, FG-400A, FG-500A, FG-600C, FG-620B, FG-620B-DC, FG-621B, FG-800, FG-800C, FG-800F, FG-1000A, FG-1000A-FA2, FG-1000A-LENC, FG-1000C, FG-1240B, FG-3016B, FG-3040B, FG-3140B, FG-3600, FG-3600A, FG-3810A, FG-3950B, FG-3951B, FG-5001, FG-5001A, FG-5001B, FG-5001FA2, FG-5002FB2, FG-5005FA2, FG-5101C, and FG-ONE.

FortiWiFi

FWF-20C, FWF-20C-ADSL-A, FWF-30B, FWF-40C, FWF-50B, FWF-60B, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A, FWF-80CM, and FWF-81CM.

FortiGate VM

FG-VM32 and FG-VM64.

FG-3240C

This model is released on a special branch based off of FortiOS v4.0 MR3 Patch Release 12. As such, the build number found in the System > Dashboard > Status page and the output from the get system status CLI command displays 6901 as the build number.To confirm that you are running the proper build, the output from the get system status CLI command has a Branch point field that should read 0656.

FG-VM64-XEN

This model is released on a special branch based off of FortiOS v4.0 MR3 Patch Release 12. As such, the build number found in the System > Dashboard > Status page and the output from the get system status CLI command displays 5924 as the build number.To confirm that you are running the proper build, the output from the get system status CLI command has a Branch point field that should read 0656.Introduction Page 7 FortiOS v4.0 MR3 Patch Release 12 Release Notes

FortiSwitch

FS-5203B.

See http://docs.fortinet.com/fgt.html for additional documents on FortiOS v4.0 MR3.

Summary of enhancements

The following is a list of enhancements in FortiOS v4.0 MR3 Patch Release 12:

Added a CLI command to set the Skype client public IP addresses used for decrypting Skype traffic. The IP addresses are parsed by the IPS engine to decrypt the Skype protocol. To configure use the following CLI syntax:

config ips globalset skype-client-public-ipaddr

end Added a CLI command to view logs from FortiCloud on the Web-based Manager. To

configure use the following CLI syntax:config log gui

set log-device forticloudend

FortiCloud activation on Web-based Manager for FG-600C and FG-800CIntroduction Page 8 FortiOS v4.0 MR3 Patch Release 12 Release Notes

FortiOS Carrier

This chapter provides platform support information for FortiOS Carrier v4.0 MR3 Patch Release 12 build 0656.

Supported models

FortiOS Carrier v4.0 MR3 Patch Release 12 supports the following models.

FortiCarrier

FCR-3810A, FCR-3950B, FCR-3951B, FCR-5001, FCR-5001A, FCR-5001B, FCR-5001FA2, and FCR-5005FA2.

Firmware image filenames begin with FK.

See http://docs.fortinet.com/fgt.html for additional documents on FortiCarrier v4.0 MR3.FortiOS Carrier Page 9 FortiOS v4.0 MR3 Patch Release 12 Release Notes

to technical limitations between 64-bit and 32-bit versions of FortiOS. The only procedure to downgrade firmware is by using the TFTP server and BIOS menu to perform the downgrade. In

this case the configuration will need to be restored from a previously backed up version.Special Notices

TFTP boot process

The TFTP boot process erases all current firewall configuration and replaces it with the factory default settings.

Monitor settings for Web-based Manager access

Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all the objects in the Web-based Manager to be viewed properly.

Before any upgrade

Save a copy of your FortiGate unit configuration prior to upgrading. To backup your FortiGate unit configuration go to System > Dashboard > Status. On the System Information widget select Backup under System Configuration. Save the configuration file to your local hard drive.

After any upgrade

If you are using the Web-based Manager, clear your browser cache prior to login on the FortiGate to ensure the Web-based Manager screens are displayed properly.

The virus and attack definitions included with an image upgrade may be older than ones currently available from the FortiGuard Distribution Server. Fortinet recommends performing an Update Now (System > Config > FortiGuard > Antivirus and IPS Options) after upgrading. Consult the FortiOS 4.0 MR3 Handbook or FortiOS Carrier 4.0 MR3 Handbook for detailed procedures.

FortiGate 1240B upgrade and downgrade limitations

With the release of FortiOS v4.0 MR3 Patch Release 2 and later, the FortiGate 1240B will run a 64-bit version of FortiOS. This has introduced certain limitations on upgrading firmware in a high availability (HA) environment and downgrading.

When performing an upgrade from a 32-bit FortiOS version to a 64-bit FortiOS version and the FortiGate 1240Bs are running in a HA environment with the uninterruptable-upgrade option enabled, the upgrade process may fail on the primary device after the subordinate devices have been successfully upgraded. To work around this situation, users may disable the option to allow all HA members to be successfully upgraded. Without the feature enabled, several minutes of service unavailability should be expected.

Downgrading a FortiGate 1240B from FortiOS v4.0 MR3 Patch Release 2 is not supported due Special Notices Page 10 FortiOS v4.0 MR3 Patch Release 12 Release Notes

FG-80C

FWF-60CM FWF-60CX-ADSL-A

FWF-81CMUpgrade Information

Upgrading from FortiOS v4.0 MR3

FortiOS v4.0 MR3 Patch Release 12 build 0656 officially supports upgrade from FortiOS v4.0 MR3 Patch Release 11.

Disk logging

For optimal performance of your FortiGate unit, disk logging will be disabled during upgrade to FortiOS v4.0 MR3 Patch Release 12. Fortinet recommends you enable logging to FAMS (FortiCloud) on this unit to use the extended logging and reporting capabilities. This change affects the following models:

FG-20C, FWF-20C

FG-20C-ADSL-A, FWF-20C-ADSL-A

FG-40C, FWF-40C

FG-60C, FWF-60C, FG-60C-POE, FWF-60CM, FWF-60CX-ADSL-A

FG-80C, FWF-80C, FG-80CM, FWF-80CM

FG-100D (PN: P09340-04 or earlier)

FG-300C (PN: P09616-04 or earlier)

FG-200B without SSD installed

Historical reports upgrade limitation

For the following units, historical reports from previous builds will not be retained after upgrading to FortiOS v4.0 MR3 Patch Release 12:

FG-20C, FWF-20C

FG-40C, FWF-40C

FG-60C, FWF-60C

Please review the Special Notices, Product Integration and Support, Known Issues, and Limitations chapters prior to upgrading. For more information on upgrading your FortiOS device, see the FortiOS 4.0 MR3 Handbook at http://docs.fortinet.com.

A limitation in the code specific to the FG-80C, FG-80CM, FWF-80C, and FWF-80CM prevents a message from being displayed warning users that disk logging has been disabled upon upgrading to FortiOS v4.0 MR3 Patch Release 12. If you were using FortiCloud prior to upgrading, the settings are retained and the service continues to operate.Upgrade Information Page 11 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Workaround: Download the historical reports to a local hard drive before performing the upgrade.

SQL logging upgrade limitation

For the following units, after upgrading to FortiOS v4.0 MR3 Patch Release 12 SQL logging will be retained based on the total size of the RAM available on the device. Logs will use up to maximum of 10% of the devices RAM and once passed that threshold, any new logs will start to overwrite the older logs. The historical report generation will also be affected based on the SQL logs that are available for query.

FG-100D

FG-300C

FortiGate 100D

FortiOS v4.0 MR3 Patch Release 12 supports the FortiGate 100D platform. Included with this model is a special purpose management port that operates on its own virtual domain (VDOM).

An issue exists with this feature whereby FortiCare registration fails when initiated from the FortiGate device if this port is connected to the Internet and thus FortiGuard and FortiCare.

Upgrading the FortiOS image from its factory default image (build 4083) to FortiOS v4.0 MR2 Patch Release 12 or later does not switch the management VDOM. You must change the management VDOM from the default setting to the root VDOM.

To do this, use the following CLI commands:

config system globalset management-vdom root

endend

FortiGate 3240C

FortiOS v4.0 MR3 Patch Release 12 build 6901 for the FortiGate 3240C officially supports upgrade from FortiOS v4.0 MR3 Patch Release 6 build 4231.

Upgrading from FortiOS v4.0 MR2

Please upgrade to the latest FortiOS v4.0 MR2 patch release prior to upgrading to v4.0 MR3 Patch Release 12. For more information, see the respective FortiOS v4.0 MR2 Patch Release Notes.

DDNS

DDNS configurations under interface are moved to global mode config system ddns after upgrading.

Please review the Special Notices, Product Integration and Support, Known Issues, and Limitations chapters prior to upgrading. For more information on upgrading your FortiOS device, see the FortiOS 4.0 MR3 Handbook at http://docs.fortinet.com.Upgrade Information Page 12 FortiOS v4.0 MR3 Patch Release 12 Release Notes

DNS server

The dns-query recursive/non-recursive option under specific interfaces are moved to the system level per VDOM mode and config system dns-server can be used to configure the option after upgrading.

Ping server

The gwdetect related configurations under specific interfaces are moved under router per VDOM mode and config router gwdetect can be used to configure the option after upgrading.

Central management

The set auto-backup disable and set authorized-manager-only enable configurations under config system central-management are removed after upgrading.

SNMP community

A 32-bit network mask will be added to an IP address of SNMP host after upgrading.

Modem settings

The wireless-custom-vendor-id and wireless-custom-product-id are moved from config system modem to config system 3g-modem custom after upgrading.

AMC slot settings

The default value of ips-weight under config system amc-slot will be changed from balanced to less-fw after upgrading.

Wireless radio settings

Wireless radio settings excluding SSID, Security Mode, and authentication settings, will be lost after upgrading.

Web filter overrides

The contents of web filter overrides will be lost after upgrading from FortiOS v4.0 MR2 Patch Release 4 build 0313 to FortiOS v4.0 MR2 Patch Release 14.

Firewall policy settings

If the source interface or destination interface is set as the amc-XXX interface, the default value of ips-sensor under config firewall policy is changed from all_default to default after upgrading.

URL filter

The action options in the urlfilter configuration have been changed from Allow, Pass, Exempt, and Block to Allow, Monitor, Exempt, and Block. The Allow action will not generate a log entry in FortiOS v4 MR3 Patch Release 1 and later. The Monitor action will act as the function that allows log reporting. The Pass action in FortiOS v4.0 MR2 has been merged Upgrade Information Page 13 FortiOS v4.0 MR3 Patch Release 12 Release Notes

with Exempt in FortiOS v4.0 MR3 Patch Release 1 and the CLI command has been changed from set action pass to set exempt pass.

FortiGuard log filter

The settings of config log fortiguard filter are removed after upgrading.

FortiGuard log setting

The options quotafull and use-hdd in config log fortiguard setting are removed upon upgrading.

Downgrading to previous FortiOS versions

Downgrading to previous FortiOS versions results in configuration loss on all models. Only the following settings are retained:

operation modes

interface IP/management IP

route static table

DNS settings

VDOM parameters/settings

admin user account

session helpers

system access profiles.Upgrade Information Page 14 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Product Integration and Support

Web browser support

FortiOS v4.0 MR3 Patch Release 12 supports the following web browsers:

Microsoft Internet Explorer versions 8 and 9

Mozilla Firefox versions 15, 16, and 17

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager support

FortiOS v4.0 MR3 Patch Release 12 is supported by FortiManager v4.0 MR3 Patch Release 7 or later.

FortiAnalyzer support

FortiOS v4.0 MR3 Patch Release 12 is supported by FortiAnalyzer v4.0 MR3 Patch Release 6 or later.

If you are using a FortiAnalyzer unit running FortiAnalyzer v4.0 MR2, you must upgrade it to FortiAnalyzer v4.0 MR3. FortiAnalyzer units running FortiAnalyzer v4.0 MR2 will not function correctly with FortiOS v4.0 MR3 Patch Release 12.

FortiClient support

FortiOS v4.0 MR3 Patch Release 12 is fully compatible with FortiClient v4.0 MR2 Patch Release 8 or later and FortiClient v4.0 MR3 Patch Release 5 or later for the following operating systems:

Microsoft Windows 7 (32-bit & 64-bit)

Microsoft Windows Vista (32-bit & 64-bit)

Microsoft Windows XP (32-bit)

Other operating systems may function correctly, but are not supported by Fortinet.

FortiAP support

FortiOS v4.0 MR3 Patch Release 12 supports the following FortiAP models:

FAP-112B, FAP-210B, FAP-220A, FAP-220B, FAP-221B, FAP-222B, FAP-223B, and FAP-320B

The FortiAP devices must be running FortiAP v4.0 MR3 Patch Release 9 or later.Product Integration and Support Page 15 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Virtualization software support

FortiOS v4.0 MR3 Patch Release 12 supports the following virtualization software:

VMware ESX/ESXi versions 4.0, 4.1, 5.0 and 5.1

Citrix XenServer 5.6 Service Pack 2 and 6.0

Open Source Xen 3.4.3 and 4.1

See Limitations on page 32 for more information.

Fortinet Single Sign-On (FSSO) support

FortiOS v4.0 MR3 Patch Release 12 is supported by FSSO v4.0 MR3 build 0129 for the following:

Microsoft Windows Server 2012 Standard Edition

Microsoft Windows Server 2008 32-bit

Microsoft Windows Server 2008 64-bit

Microsoft Windows Server 2008 R2 64-bit



Novell eDirectory 8.8

FSSO does not currently support IPv6.

Other server environments may function correctly. but are not supported by Fortinet.

FortiExplorer support (Microsoft Windows/Mac OS X)

FortiOS v4.0 MR3 Patch Release 12 is supported by FortiExplorer v2.0.1022 or later.

AV Engine and IPS Engine support

FortiOS v4.0 MR3 Patch Release 12 is supported by AV Engine v4.398 and IPS Engine v2.127 or later.Product Integration and Support Page 16 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Language support

The following table lists FortiOS language support information.

To change the FortiGate language setting, go to System > Admin > Settings, in View Settings > Language select the desired language on the drop-down menu.

Module support

FortiOS v4.0 MR3 Patch Release 12 supports Advanced Mezzanine Card (AMC), Fortinet Mezzanine Card (FMC), Rear Transition Modules (RTM), and Fortinet Storage Module (FSM) removable modules. These modules are not hot swappable. The FortiGate unit must be turned off before a module is inserted or removed.

The following table lists supported modules and FortiGate models.

Table 1: FortiOS language support

Language Web-based Manager Documentation

English

French -

Portuguese (Brazil) -

Spanish (Spain) -

Korean -

Chinese (Simplified) -

Chinese (Traditional) -

Japanese -

Table 2: Supported modules and FortiGate models

AMC/FMC/FSM/RTM Modules FortiGate Model

Storage Module 500GB HDD Single-Width AMC (ASM-S08)

FG-310B, FG-620B, FG-621B, FG-3016B, FG-3600A, FG-3810A, FG-5001A-SW

Storage Module 64GB SSD Fortinet Storage Module (FSM-064)

FG-200B, FG-311B, FG-1240B, FG-3040B, FG-3140B, FG-3951B

Accelerated Interface Module 4xSFP Single-Width AMC (ASM-FB4)

FG-310B, FG-311B, FG-620B, FG-621B, FG-1240B, FG-3016B, FG-3600A, FG-3810A, FG-5001A-SW

Accelerated Interface Module 2x10-GbE XFP Double-Width AMC (ADM-XB2)

FG-3810A, FG-5001A-DW

Accelerated Interface Module 8xSFP Double-Width AMC (ADM-FB8)

FG-3810A, FG-5001A-DWProduct Integration and Support Page 17 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Bypass Module 2x1000 Base-SX Single-Width AMC (ASM-FX2)


Bypass Module 4x10/100/1000 Base-T Single-Width AMC (ASM-CX4)


Security Processing Module 2x10/100/1000 SP2 Single-Width AMC (ASM-CE4)

FG-1240B, FG-3810A, FG-3016B, FG-5001A-SW

Security Processing Module 2x10-GbE XFP SP2Double-Width AMC (ADM-XE2)

FG-3810A, FG-5001A-DW

Security Processing Module 4x10-GbE SFP+Double-Width AMC (ADM-XD4)

FG-3810A, FG-5001A-DW

Security Processing Module 8xSFP SP2Double-Width AMC (ADM-FE8)

FG-3810A

Rear Transition Module 10-GbE backplane fabric (RTM-XD2)

FG-5001A-DW

Security Processing Module (ASM-ET4) FG-310B, FG-311B

Rear Transition Module 10-GbE backplane fabric (RTM-XB2)

FG-5001A-DW

Security Processing Module 2x10-GbE SFP+ (FMC-XG2)

FG-3950B, FG-3951B

Accelerated Interface Module 2x10-GbE SFP+ (FMC-XD2)

FG-3950B, FG-3951B

Accelerated Interface Module 20xSFP (FMC-F20)

FG-3950B, FG-3951B

Accelerated Interface Module 20x10/100/1000 (FMC-C20)

FG-3950B, FG-3951B

Security Processing Module (FMC-XH0) FG-3950B

Table 2: Supported modules and FortiGate models (continued)Product Integration and Support Page 18 FortiOS v4.0 MR3 Patch Release 12 Release Notes

SSL VPN support

SSL VPN standalone client

FortiOS v4.0 MR3 Patch Release 12 supports the SSL VPN tunnel client standalone installer build 2281 for the following:

Microsoft Windows XP, Windows 7, and Windows 8 in .exe and .msi format

Linux CentOS and Ubuntu in .tar.gz format

Virtual Desktop in .jar format for Microsoft Windows 7

Mac OS X v10.7 Lion in .dmg format.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following web browsers are supported by FortiOS v4.0 MR3 Patch Release 12 for the SSL VPN web mode feature:


Mozilla Firefox version18

Apple Safari version 6


Table 3: Supported operating systems

Operating System Support

Microsoft Windows 8 64-bit Linux CentOS 5.6 Mac OS X v10.7 Lion

Microsoft Windows 7 32-bit SP1 Ubuntu 12.0.4

Microsoft Windows 7 64-bit SP1

Microsoft Windows XP 32-bit SP3

Virtual Desktop Support

Microsoft Windows 7 32-bit SP1Product Integration and Support Page 19 FortiOS v4.0 MR3 Patch Release 12 Release Notes

SSL VPN host compatibility list

The following tables list the antivirus and firewall client software packages that are supported.

Table 4: Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall

Symantec Endpoint Protection v11

Kaspersky Antivirus 2009

McAfee Security Center v8.1

Trend Micro Internet Security Pro

F-Secure Internet Security 2009

Table 5: Supported Microsoft Windows 7 32-bit antivirus and firewall software


CA Internet Security Suite Plus Software

AVG Internet Security 2011


Kaspersky Internet Security 2011

McAfee Internet Security 2011

Norton 360 Version 4.0

Norton Internet Security 2011

Panda Internet Security 2011

Sophos Security Suite

Trend Micro Titanium Internet Security

ZoneAlarm Security Suite

Symantec Endpoint Protection Small Business Edition 12.0

Product Integration and Support Page 20 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Explicit web proxy browser support

The following web browsers are supported on FortiOS v4.0 MR3 Patch Release 12 for the explicit web proxy feature:


Mozilla Firefox versions 17 and 18


Table 6: Supported Microsoft Windows 7 64-bit antivirus and firewall software


CA Internet Security Suite Plus Software

AVG Internet Security 2011


Kaspersky Internet Security 2011

McAfee Internet Security 2011

Norton 360 Version 4.0

Norton Internet Security 2011

Panda Internet Security 2011

Sophos Security Suite

Trend Micro Titanium Internet Security

ZoneAlarm Security Suite

Symantec Endpoint Protection Small Business Edition 12.0

Product Integration and Support Page 21 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Resolved Issues

The resolved issues tables listed below do not list every bug that has been corrected with FortiOS v4.0 MR3 Patch Release 12 build 0656. For inquires about a particular bug, please contact Customer Service & Support.

Antivirus

Data Leak Prevention

Email Filter

Table 7: Resolved antivirus issues

Bug ID Description

181320 The av-failopen setting will cause the FortiGate not to scan any traffic when booting up.

Table 8: Resolved data leak prevention issues

Bug ID Description

178125 The SMTP body filter prevents a banned/blocked word from passing through the firewall in an SMTP message.

179575 FTP DLP rules are affecting FTPS; FTPS rules have no effect.

180010 The Samba client daemon only starts when the FortiGate is configured in NAT mode, transparent mode connections to Samba fail.

Table 9: Resolved email filter issues

Bug ID Description

154340 The proxyworker process crashes with signal 7 errors on emails.

170139 The antispam ASE caused the scanunitd daemon to crash.

174190 scanunitd daemon usage issue, CPU is at 99% until aborted by the alarm clock when parsing a specific email.

174918 Arabic mixed with non-Arabic font for email attachments are not inspected. The MIME parser is not correctly decoding.

184017 The scanunitd daemon crashed.Resolved Issues Page 22 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Firewall

FortiCarrier

FortiGate VM

Table 10: Resolved firewall issues

Bug ID Description

151096 LDAPS authenticated user was unexpectedly cached.

156828 FTP upload traffic does not work when antivirus scanning is enabled.

161883 IM cannot block file transfer by MSN 2011 on Windows 7 with block-file enabled.

178932 Problems when enabling the SCCP VoIP profile.

184375 Uploads are interrupted by FortiGate devices with the load balancer feature enabled.

184809, 190973

VSD process usage issue, high CPU.

187549 DCE-RPC high ports not allowed when using Microsoft System Center Operations Manager (SCOM) 2012.

189828 RADIUS accounting should include extra fields (NAS IP Address/Framed IP Address/Called Station ID/Timestamp).

192195 Traffic is dropped by the NP4 processer with the traffic shaping feature enabled.

193096 VSD daemon crashes while handling 50 concurrent sessions.

193099 VSD daemon stops handling connections and CPU usage is at 99%.

193497 Some IPv6 sessions cannot be displayed when using the CLI command diagnose system session6 list.

Table 11: Resolved FortiCarrier issues

Bug ID Description

188169 Mass MMS communication sockets are not removed after use.

Table 12: Resolved FortiGate VM issues

Bug ID Description

186173 The Fortigate-VM64.hw07.vmxnet2.ovf and Fortigate-VM.hw07_vmxnet2.ovf VM versions cannot support HA.Resolved Issues Page 23 FortiOS v4.0 MR3 Patch Release 12 Release Notes

High Availability

IPsec VPN

Table 13: Resolved high availability issues

Bug ID Description

156040 Redundant HA in-sync log messages.

174187 FortiGate slave experiences a cw_acd and cmdbsvr crash when synchronizing configuration; attempts to access VDOM settings before the VDOM is created.

184052 High latency and sessions being dropped during HA failover (active-active).

185272 When displaying a log message in a slave event log, the slave clock is adjusted to an invalid time.

186053 All heartbeat links fail simultaneously, triggered by traffic.

186520 HA configuration synchronization fails.

188912 Devices cannot get updates when configured in HA.

190237 Changing firewall policy attributes does not cause the checksum to change.

190567 Blades becoming unresponsive in a four blade active-active cluster.

192178 HA master fails to remove the slave's VLAN interface and IPsec VPN interface which results in IPsec VPN failures.

194610 A FortiGate slave will fail to send logs to FortiAnalyzer if the management VDOM ID on the master and slave is different.

Table 14: Resolved IPsec VPN issues

Bug ID Description

178665 L2TP over IPsec client cannot ping to the internal network if the FortiGate has a PPPoE WAN connection.

180980 Unable to get an IP address via L2TP over IPsec tunnel when using Chrome OS.

182017 A FortiGate PPTP client using PAP fails.

182910 The IPsec monitor shows the wrong user name for a dialup VPN with RSA aggressive mode.

183382 Invalid ESP packets are regularly generated.

190405 IKEv2 DPD failure which brings down the tunnel when the peer was still reachable.

190598 IPsec hub and spoke issue when the session is not NP offloaded.

193049 Invalid ESP errors for dialup clients.Resolved Issues Page 24 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Logging and Reporting

Routing

SSL VPN

Table 15: Resolved logging and reporting issues

Bug ID Description

153422 The IPv6 traffic log sent to a syslog server does not match the log in memory.

177175 Incorrect value for source interface field in a traffic log file for denied traffic.

177242 Filter log by time field, improperly affected time zone setting.

177399 The attack ID for IM/P2P applications is displayed incorrectly in the log as 0.

182615 IP address range filter does not work properly.

183538 FortiGate does not send cpu-memory-usage log to a FortiAnalyzer after restoring a backup configuration.

186797 Miglogd daemon usage issue, high CPU when syslogd2 server is defined.

186918 Alertmail shows Failed to send alert email in logs, but the message has actually been sent.

191663 The vpn.Last10.User.SSL.Login and vpn.Top10.User.SSL.Volume.last24h reports do not show correct information or the report is empty.

191687 Configuration change events are not forwarded to the syslog server.

192869 Under certain conditions the fdslogd daemon can over utilize CPU resources.

Table 16: Resolved routing issues

Bug ID Description

185808 PIM-SSM multicast stream is pruned while other IGMPv3 receivers are still present.

193990 The AS-CONFED-SEQ attribute is incorrectly sent when using route-map to prepend as-path.

Table 17: Resolved SSL VPN issues

Bug ID Description

180878 Incorrect traffic statistics are displayed in SSL VPN tunnel mode on Windows 8.

182464 The SSL VPN tunnel widget does not work in the web mode portal using Internet Explorer version 10 on Windows 8.

183019 In Windows Active Directory protocol, the attribute memberOf does not include primary group, although it is considered as a user's super-group. If the customer specifies this primary group as the match condition, the authentication will fail.Resolved Issues Page 25 FortiOS v4.0 MR3 Patch Release 12 Release Notes

System

184140 The RDP login screen is not displayed in full screen mode with SSL VPN in web mode.

184522 Failed to access an SSL VPN bookmark on the Web-based Manager.

188139 An error message is displayed when a user logs in to a web mode SSL VPN with PKI enabled.

189680 A SSL VPN portal with a 4096-bit RSA key size refuses the connection.

189800 Unable to connect to an SSL VPN unless using FortiClient v5.00

191068 A SSL VPN could not be accessed for a newly created VDOM.

191278 The FortiGate SSL VPN web portal will display an error message when editing or creating an entry on an OWA email server calendar.

191672 OA page is incorrectly displayed in SSL VPN web proxy mode.

192344 Cross site scripting vulnerability on the SSL VPN portal.

193651 The SSL VPN daemon crashes when accessing a Citrix server in web mode.

Table 18: Resolved system issues

Bug ID Description

161876 The FG-600C gets a power supply 2 failure event log error when the optional power supply is not installed.

173548 Streaming query changes query VDOM to the current VDOM; cmdbsvr process will crash if the VDOM is invalid.

175326 FortiGate responds to ARP requests on 192.168.0.1 on the MGMT1 interface.

176202 The VLAN interface is missing after a reboot.

178545 The average network usage is displayed incorrectly with XH0 modules.

183013 The field list cache being used for filtering log is not cleared after each log is matched.

183191 The link change indicator from hardware link scan is not stable and can sometimes be false indicator.

183983 Oversized ICMPv6 packets are being scanned and dropped.

184206 Russian FSTEK certification requirement for image checksum.

184314 Add/remove of a physical interface to 802.3ad aggregation brings the aggregate port down.

184932 Unable to administratively bring down or bring up a tunnel interface via the CLI under config global.

Table 17: Resolved SSL VPN issues (continued)

Bug ID DescriptionResolved Issues Page 26 FortiOS v4.0 MR3 Patch Release 12 Release Notes

185315 System hangs while console printed NMI watchdog messages.

185606 There is a SNMP problem when using 250 VDOMs.

186169 FG-5001A CPUs are not properly load-balanced.

186523 FortiToken activation fails on particular FortiGuard Distribution Servers (FDS).

187519 The speed LED on a shared NIC port is not lit on the FG-800C.

187878 Removing the secondary IP disconnects the admin session.

188544 The diagnose sys session6 filter CLI command shows src twice.

188772 The diagnose system top CLI command for CPU usage is not correct.

189061 Dedicated sniffer mode > scheduled updates does not work.

189120 For IPv6 traffic, NP4 does not support load balancing to four host queues and it always sent to queue 0.

189304 Using the administrative status to bring down a port on a FG-1000C causes the system to hang.

190016 Memory leak in the NP4/XLR/XLIP IPsec installation routine.

190142 A VLAN interface responds even though it is administratively down.

190160 A FG-3950B with sp-load-balance mode enabled only passed 1/3 of SP2 traffic as the other two host channels were down.

190797 Configuration changes cannot be pushed to the controller daemon.

190829 RADIUS SSH authentication on a FG-100D one-arm IDS fails.

190990 The system crashed with a ehci_hcd fatal error message.

191112 Failed to import CRL which had expiry date after 2038.

191119 XLP driver issue that could cause the FG-5101C to crash with a kernel panic.

191231 System does not write the configuration to flash.

192347 Session is dropped unexpectedly with NP4 IPsec offloading.

192360 Memory statistics are incorrectly displayed in the CLI command diagnose system top.

193169 ntpd daemon usage issue, CPU is at 99%.

195097 Does not print the RADIUS authentication initial process message.

195168 Allow users to switch FortiCloud accounts.

195753 cw_acd daemon memory leak issue occurs.

Table 18: Resolved system issues (continued)


Upgrade

WAN Optimization and Web Proxy

Web-based Manager

Web Filter

Table 19: Resolved upgrade issues

Bug ID Description

180537 Web pages reset after upgrading cluster to FortiOS v4.0 MR3 Patch Release 9 using TMG proxy.

190671 ASpath-list regex entry does not work after upgrading to build 0646.

Table 20: Resolved WAN Optimization and Web Proxy issues

Bug ID Description

181009 Nested groups break web/FTP explicit proxy.

190746 The WAD daemon crashes for HTTP .09 traffic if DLP scan is enabled.

190968 There is a WAD memory leak (default_cmem_object) after enabling HTTP WAN Optimization.

Table 21: Resolved Web-based Manager issues

Bug ID Description

150041 Signature entry in IPS sensor does not display the rule name.

156340 SSL renegotiation DoS attack for HTTPS.

174917 Unable to see archived IM messages in Log & Archive Access - IM Archive Access.

189029 No FortiToken is listed in the Web-based Manager when editing an administrator with remote authentication enabled.

190694 Policy items are not displayed when accessing the FortiGate through a SSL VPN portal.

191509 Allow the web filtering custom category to be disabled per-profile in the Web-based Manager.

Table 22: Resolved web filter issues

Bug ID Description

135343 FortiGuard quota counter is incremented even though the session is closed.

178127 Web filter block failures for specially crafted packets.

179265 CN based HTTPS web URL filtering does not work well on an external proxy environment, when exempt is configured.Resolved Issues Page 28 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Wireless

188607 FortiGuard service is intermittently unavailable. Restarting the urlfilter process is required to recover.

189987 HTTPS redirect to proxy issue with safe search enabled.

191120 The option to allow websites when a rating error occurs does not work as expected.

Table 23: Resolved wireless issues

Bug ID Description

131373, 186562

Wireless AP does not work if the physical WLAN is set to WPA2.

169666 Change wireless channel generation method, and introduce the addition of country code for wireless controller's wtp-profile.

177422 WiFi issue with HP tablet related to 802.11n MSDU frame aggregation.

183807 Multiple enhancements for supporting a large number of FortiAPs and wireless client connection fixes.

192789 A phone hot-spot could be detected as a rogue-ap-on-wire, rogue-ap-detected, or rogue-ap-off-air when the hot-spot is disabled and the phone user is using the WiFi client.

Table 22: Resolved web filter issues (continued)


Bug ID Description195540 No audio for an incoming call forwarded to an internal extension which is then forwarded to an outside number.Known Issues

The known issues tables listed below do not list every bug that has been reported with FortiOS v4.0 MR3 Patch Release 12 build 0656. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Firewall

IPsec VPN

Logging and Reporting

SSL VPN

VoIP

Table 24: Known firewall issues

Bug ID Description

194548 Issues with source and destination subnet translation when using virtual IP range and IP pool.

Table 25: Known IPsec VPN issues

Bug ID Description

198417 IPsec connections traversing an NP interface may fail and cause the FortiGate device to hang.

Table 26: Known logging and reporting issues

Bug ID Description

183778 FortiGate is not populating the interface-policy field into DoS logs.

195724 When browsing the traffic log the page failed to load.

Table 27: Known SSL VPN issues

Bug ID Description

179445 Unable to connect to Citrix application through SSL VPN on Windows 7 Enterprise.

Table 28: Known VoIP issues Known Issues Page 30 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Web-based Manager

Table 29: Known Web-based Manager issues

Bug ID Description

196235 The System Information widget has a Details link which displays a list of firmware. Upgrading or downgrading the firmware from this page displays an Access denied error message.

Workaround: Use the Update link in the System Information widget or update the firmware using the CLI.

196962 Installing a new license file for a FG-VM displays an Access denied error message.

Workaround: Rebooting the system once prevents the error message from being displayed a second time.

198883 Interface zone names or firewall addresses that have an ampersand (&) character may not be viewable in the Web-based Manager.Known Issues Page 31 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Limitations

This section outlines the limitations in FortiOS v4.0 MR3 Patch Release 12 build 0656.

Citrix Xen server limitations

The following limitations apply to Citrix XenServer installations:

XenTools installation is not supported.

FortiGate VM can be imported or deployed in only the following three formats:

XVA (recommended)

VHD

OVF

The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open source Xen limitations

When using Ubuntu 11.10, Xen 4.1.0, and libvir 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.Limitations Page 32 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Image Checksum

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support website located at https://support.fortinet.com. After logging in, click on Download > Firmware Image Checksum, enter the image file including the extension, and select Get Checksum Code.

Figure 1: Firmware image checksum tool Image Checksum Page 33 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Appendix A: FortiGate VM

FortiGate VM model information

The following table provides a detailed summary on FortiGate VM models.

For more information see the FortiGate VM product datasheet available on the Fortinet web site, http://www.fortinet.com/sites/default/files/productdatasheets/FortiGate-VM01.pdf.

Table 30:FortiGate VM model information

Technical Specification

FGVM-00 FGVM-01 FGVM-02 FGVM-04 FGVM-08

Hypervisor Support VMware ESX / ESXi versions 4.0, 4.1, 5.0, and 5.1Citrix XenServer versions 5.6 SP2 and 6.0Open Source Xen versions 3.4.3 and 4.1

Virtual CPU (Min / Max)

1 / 1 1 / 1 1 / 2 1 / 4 1 / 8

Virtual Network Interfaces(Min / Max)

2 / 10

Memory Support(Min / Max)

512 MB / 512 MB 512 MB / 1 GB 512 MB / 3 GB 512 MB / 4 GB 512 MB / 12 GB

Storage Support(Min / Max)

30 GB / 2 TB

VDOM Support(Default / Max)

1 10 / 10 10 / 25 10 / 50 10 / 250

Wireless Access Points Controlled

32 256 512 512 1,024

HA Support YesFortiGate VM Page 34 FortiOS v4.0 MR3 Patch Release 12 Release Notes

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for both VMware and Xen VM environments.

VMware

.out: Download either the 32-bit or 64-bit firmware image to upgrade your existing FortiGate VM installation.

ovf.zip: Download either the 32-bit or 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Xen

.out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.

.out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source Xen.

.out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix Xen Virtual Appliance (XVA) and Virtual Hard Disk (VHD) files.FortiGate VM Page 35 FortiOS v4.0 MR3 Patch Release 12 Release Notes

Table of ContentsChange LogIntroductionSupported modelsFortiGateFortiWiFiFortiGate VMFortiSwitch

Summary of enhancements

FortiOS CarrierSupported modelsFortiCarrier

Special NoticesTFTP boot processMonitor settings for Web-based Manager accessBefore any upgradeAfter any upgradeFortiGate 1240B upgrade and downgrade limitations

Upgrade InformationUpgrading from FortiOS v4.0 MR3Disk loggingHistorical reports upgrade limitationSQL logging upgrade limitationFortiGate 100DFortiGate 3240C

Upgrading from FortiOS v4.0 MR2DDNSDNS serverPing serverCentral managementSNMP communityModem settingsAMC slot settingsWireless radio settingsWeb filter overridesFirewall policy settingsURL filterFortiGuard log filterFortiGuard log setting

Downgrading to previous FortiOS versions

Product Integration and SupportWeb browser supportFortiManager supportFortiAnalyzer supportFortiClient supportFortiAP supportVirtualization software supportFortinet Single Sign-On (FSSO) supportFortiExplorer support (Microsoft Windows/Mac OS X)AV Engine and IPS Engine supportLanguage supportModule supportSSL VPN supportSSL VPN standalone clientSSL VPN web modeSSL VPN host compatibility list

Explicit web proxy browser support

Resolved IssuesAntivirusData Leak PreventionEmail FilterFirewallFortiCarrierFortiGate VMHigh AvailabilityIPsec VPNLogging and ReportingRoutingSSL VPNSystemUpgradeWAN Optimization and Web ProxyWeb-based ManagerWeb FilterWireless

Known IssuesFirewallIPsec VPNLogging and ReportingSSL VPNVoIPWeb-based Manager

LimitationsCitrix Xen server limitationsOpen source Xen limitations

Image ChecksumAppendix A: FortiGate VMFortiGate VM model informationFortiGate VM firmware

FortiOS v4.0 MR3 Patch Release 12 Release Notes

Documents

Transcript of FortiOS v4.0 MR3 Patch Release 12 Release Notes